Malware Hiding in Backup Files?

[thecommissar]

So... I'm wondering whether malware (Ransomware in particular) can hide inside my backup files?

Basically, my computer was infected in the past, it was removed, but I have files which were 'exposed' to the attack which I now want to include in my backup.

1. What I'm wondering is whether the malware can hide inside the files themselves (ie I know it can hide in Excel, PDF, anywhere things can be executed), but I don't know whether something complex like ransomware can do so?

Usually I believe it just hides a secure remote URL which gets hit during execution and then the malware payload gets delivered.

2. I have scanned everything exhaustively, and of course in a backup archive nothing can execute, but I'm concerned that I could be archiving away malware which will one day re-emerge.

Thoughts?

 

[_CyberGhosT_]

Thats a good question, I would be interested in the answer.
I would think that Ransomeware itself would not, but you bring up a valid point with the hidden URL thing,
I will follow this, you have peaked my interest, great post. PeAcE

 

[Alkajak]

How do you propose this malware/ransomware would re-emerge without being executed?

1. Malware does not hide themselves as xml, pdf, doc files. The malicious code is written in the macros within the actual file. Unless the extension is docm, I wouldn't worry about it. If the file isn't macro-enabled, it will not execute without prompting you if you would like to enable the macro.

2. Malware can only be executed by the user. It does not sound like you have a trigger.

As far as how ransomware can affect things, it can latch onto any removable device you plug into a ransomware infected computer. If your files were to be attacked and locked by ransomware, it would happen within seconds/minutes. There would be no delay or timer.

 

[thecommissar]

Well ok I sort of am asking 2 different questions - one on malware in general, and how it can infect user documents/files, and secondly ransomware specifically because of its danger factor. I don't know much about this, so I'm just trying to get a better understanding of the risks. But I take your point that risk is probably low given no active acute infection.

- I'm suggesting it could lie dormant inside like an Excel file it infected when it attacked my computer the first time. When I one day 'restore/retrieve' that file from my archives the VBA macro its using could execute on the local machine and run some sort of remote payload drop.

- I'm not sure I understand your comment that malware can only be executed by the user... I mean isn't the entire point of the anti-exe programs (like AppGuard, which ive been recently told about, or Voodoo Shield) to stop programs that the user does NOT run themselves?

- I have a slightly odd situation also in that while my machine was attacked by ransomware, and I removed all of it completely, I did not reformat the disk since then and added new data of course. Obviously this is a pretty terrible situation but... its what happened. But in general, I'm just trying to imagine ransomware hanging around in my backup files dormant and ready to execute as a macro, or whatever, some day when I open/use that file.

- I'm also wondering how effective scanning the files with AV is; would they be able to detect something an exe like that inside a file?

 

[XhenEd]

As far as I know, malware or ransomware can hide in files. This is done through encryption and/or obfuscation. But, I think hiding in files is done outside the targeted computer, meaning to say it is hidden in the file(s) by the malware author. Only when you have that infected file can you get the "malware within the file".

But, as to malware hiding themselves in the files while in the infected computer, I think it is not currently possible.

Scanning should eliminate these types of threats. Since you have scanned extensibly already, then you should be good.

 

[jamescv7]

As previously mentioned, files that contains Macro can generally lurk in such innocent Excel or Word files.

Honestly the malware hides by changing the location of its file which will make the program inaccessible but in case of ransomware well its more on encryption.

 

[thecommissar]

As far as I know, malware or ransomware can hide in files. This is done through encryption and/or obfuscation. But, I think hiding in files is done outside the targeted computer, meaning to say it is hidden in the file(s) by the malware author. Only when you have that infected file can you get the "malware within the file".

But, as to malware hiding themselves in the files while in the infected computer, I think it is not currently possible.

Right this is exactly what I've been getting at. I've imagined malware/ransomware that can actually inject itself into a user's pre-existing documents/files and corrupt them and lie dormant. Like a real virus, if you will. Obviously if the file itself is de novo malware written by the evil malware architect, that's completely different.

Presumably it will either corrupt the OS, inject into .dlls, hide in system folders, etc., but will not in and of itself corrupt a user file/document.

** So basically, lets say you have an Excel doc which you write a macro in and save. You then get with ransomware via a standard vector and survive the onslaught, the malware files are destroyed. During the window of attack, if they *could* insert themselves and hide inside user documents, I can only imagine the catastrophe of that - when that one excel doc got uploaded to a cloud backup... and one day restored... the ransomware would execute on a possibly unsecure machine (since the user would expect their backup files to be safe.

As you've mentioned this is NOT something ive heard of, and the whole ransomware model obviously does not need this type of sophistication to make money, but even if its not yet possible, I imagine it will be one day (or even soon). So it's something I worry about.

***All that said - thanks for the clarification, I was starting to get paranoid thinking there's a ransomware code hiding out in one of my docs or Excel files somewhere waiting to attack me lol.

****Also I think this goes to the protection offered by anti-Exe programs so I'm going to be figuring out which of the 3 (AppGuard, Voodoo, NVT) that I want to use; I'm leaning towards Voodoo because I've heard its simpler to configure, maybe NVT... but probably not AppGuard as its just too complex to configure correctly to me.